Analysis Overview
SHA256
9af31d18ef5af8d20ed75f9cc76185d119990e2adea7748c16562359a1dc3d5d
Threat Level: Known bad
The file 0080900000000000004.exe was found to be: Known bad.
Malicious Activity Summary
Snakebot family
AgentTesla
CoreEntity .NET Packer
Contains SnakeBOT related strings
rezer0
AgentTesla Payload
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-11-09 19:37
Signatures
Snakebot family
Contains SnakeBOT related strings
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2020-11-09 19:37
Reported
2020-11-09 22:07
Platform
win7v20201028
Max time kernel
71s
Max time network
18s
Command Line
Signatures
AgentTesla
CoreEntity .NET Packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AgentTesla Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
rezer0
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1004 set thread context of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\0080900000000000004.exe | C:\Users\Admin\AppData\Local\Temp\0080900000000000004.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0080900000000000004.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0080900000000000004.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0080900000000000004.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0080900000000000004.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0080900000000000004.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0080900000000000004.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0080900000000000004.exe
"C:\Users\Admin\AppData\Local\Temp\0080900000000000004.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LsoUSx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp561C.tmp"
C:\Users\Admin\AppData\Local\Temp\0080900000000000004.exe
"{path}"
C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
Network
Files
memory/1004-0-0x00000000741E0000-0x00000000748CE000-memory.dmp
memory/1004-1-0x0000000001040000-0x0000000001041000-memory.dmp
memory/1408-3-0x000007FEF7160000-0x000007FEF73DA000-memory.dmp
memory/1004-4-0x0000000000560000-0x0000000000563000-memory.dmp
memory/1004-5-0x0000000007290000-0x00000000072E3000-memory.dmp
memory/1940-6-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp561C.tmp
| MD5 | b62d69fbede68916cbca6dc495030b6f |
| SHA1 | 67e2dd36210daf7b3bf34e6e8e2194968c403f02 |
| SHA256 | 2d43568e9c62eaaf995e9cbf3b5bac177ea7f7e04a88f83ab75278cc62b281fb |
| SHA512 | bdab864ed91d2a27193c0611678ee381ae3fb228aa4ccaf2694315e97121d64e2f58905ea842e43a63a8b1c687b122016f3768d7d8743daa3af73b10a0e8a7c9 |
memory/2044-8-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2044-9-0x000000000044C9EE-mapping.dmp
memory/2044-10-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2044-11-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2044-12-0x00000000741E0000-0x00000000748CE000-memory.dmp
memory/1824-15-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-11-09 19:37
Reported
2020-11-09 22:07
Platform
win10v20201028
Max time kernel
63s
Max time network
124s
Command Line
Signatures
AgentTesla
CoreEntity .NET Packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AgentTesla Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
rezer0
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3988 set thread context of 3948 | N/A | C:\Users\Admin\AppData\Local\Temp\0080900000000000004.exe | C:\Users\Admin\AppData\Local\Temp\0080900000000000004.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0080900000000000004.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0080900000000000004.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0080900000000000004.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0080900000000000004.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0080900000000000004.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0080900000000000004.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0080900000000000004.exe
"C:\Users\Admin\AppData\Local\Temp\0080900000000000004.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LsoUSx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1785.tmp"
C:\Users\Admin\AppData\Local\Temp\0080900000000000004.exe
"{path}"
C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.google.com.br | udp |
| N/A | 172.217.19.195:443 | www.google.com.br | tcp |
| N/A | 8.8.8.8:53 | smtp.ionos.mx | udp |
| N/A | 74.208.5.8:587 | smtp.ionos.mx | tcp |
| N/A | 74.208.5.8:587 | smtp.ionos.mx | tcp |
Files
memory/3988-0-0x00000000738E0000-0x0000000073FCE000-memory.dmp
memory/3988-1-0x0000000000BE0000-0x0000000000BE1000-memory.dmp
memory/3988-3-0x0000000007E70000-0x0000000007E71000-memory.dmp
memory/3988-4-0x0000000007A10000-0x0000000007A11000-memory.dmp
memory/3988-5-0x0000000007970000-0x0000000007971000-memory.dmp
memory/3988-6-0x0000000004ED0000-0x0000000004ED3000-memory.dmp
memory/3988-7-0x000000000B2F0000-0x000000000B343000-memory.dmp
memory/3988-8-0x000000000B3F0000-0x000000000B3F1000-memory.dmp
memory/2684-9-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1785.tmp
| MD5 | 0ba7da637bb25302ae9701b3df8de7a8 |
| SHA1 | 098ac627d4f4c2732c618d617da5ecfe2d8bc9ea |
| SHA256 | dd4d0e35268730a02e30b25de97503c1e3515c5f79630471b258557557e0a9d4 |
| SHA512 | 294dda41b75ee08ca711fa668643b6e4c4bb8e201f6814a5e5c2f1d03ae386ecb14dbee4f5e819db79fab3e4a04fc176ce2eb0ab011580a96986733c0f1595f8 |
memory/3948-11-0x0000000000400000-0x0000000000452000-memory.dmp
memory/3948-12-0x000000000044C9EE-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0080900000000000004.exe.log
| MD5 | b4f7a6a57cb46d94b72410eb6a6d45a9 |
| SHA1 | 69f3596ffa027202d391444b769ceea0ae14c5f7 |
| SHA256 | 23994ebe221a48ea16ebad51ae0d4b47ccd415ae10581f9405e588d4f6c2523b |
| SHA512 | be6da516e54c3a5b33ac2603137a2f8cf8445ff5961dd266faedf3627bae8979953d7ef305538df0151c609917a5b99bf5d023bdd32de50fd5c723950f90db5c |
memory/3948-14-0x00000000738E0000-0x0000000073FCE000-memory.dmp
memory/3948-19-0x0000000005020000-0x0000000005021000-memory.dmp
memory/3948-20-0x0000000005BF0000-0x0000000005BF1000-memory.dmp
memory/2504-21-0x0000000000000000-mapping.dmp